Configuring A Static Ip Source Guard Binding Entry - H3C S9500E Series Security Configuration Manual

•
A dynamic binding is implemented in cooperation with DHCP snooping or DHCP Relay. It is
suitable when there are many hosts in a LAN, and DHCP is used to allocate IP addresses to
the hosts. Once DHCP allocates an IP address for a user, the IP source guard function will
automatically add a binding entry based on the DHCP entry to allow the user to access the
network. If a user specifies an IP address instead of getting one through DHCP, the user will
not trigger DHCP to allocate an IP address, and therefore no IP source guard binding will be
added for the user to access the network. In this way, IP address collision and theft are
prevented.
You cannot configure the IP source guard function on a port in an aggregation group, nor can you add a
port configured with IP source guard to an aggregation group.
Configuring a static IP source guard binding
entry
Follow these steps to configure a static IP source guard binding entry:
To do...
1. Enter system view
2. Enter Ethernet interface view
3. Configure a static IP source
guard binding entry
You cannot configure the same static binding entry on one port for multiple times, but you can configure
•
the same static entry on different ports.
In an IP source guard binding entry, the MAC address cannot be all 0s, all Fs (a broadcast address), or
•
a multicast address, and the IP address can only be a Class A, Class B, or Class C address and can be
neither 127.x.x.x nor 0.0.0.0.
Use the command...
system-view
interface interface-type interface-number
user-bind { ip-address ip-address |
ip-address ip-address mac-address
mac-address | mac-address mac-
address } [ vlan vlan-id ]
162
Remarks
—
—
Required
No static IP source guard
binding entry exists by
default.